MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ddc94e9230a48fc787f52b05342f7b1fec562bb7bd8d4155e99156e6564fde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	51ddc94e9230a48fc787f52b05342f7b1fec562bb7bd8d4155e99156e6564fde
SHA3-384 hash:	3f67112a06ed66f02be23833d75a7b84ebe1196f1cb2ca1df9f6483f871d4f76ecc6f374b92cbf9555250ca3504d26a4
SHA1 hash:	b43f62f987ae478ceea572b4b0168d1120e05d63
MD5 hash:	f867f6ce1f2db6e2766090cb061ac15b
humanhash:	mango-xray-fix-harry
File name:	PROFORMA INVOICE.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	171'880 bytes
First seen:	2022-09-23 05:26:54 UTC
Last seen:	2022-10-03 06:59:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	176ce6397deb91dca8c8158bf86c99a0 (16 x GuLoader, 4 x Formbook, 3 x Loki)
ssdeep	3072:y/c/d6j3AaTzfYbNwdIny5720LwuwU4oy8Qww4LsNR4Uw3+mQ8UZfSeM:y/c/43A4S8cy57rLwPU4ew4LU4UBUs1M
TLSH	T1AAF3F156DF85C4E3FDA3097000BA2A279FBABD0584A4770BD314AE5FFD022915B1E276
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	adrian__luca
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-23T02:12:48Z
Valid to:	2025-09-22T02:12:48Z
Serial number:	2b911a123b7587e2
Thumbprint Algorithm:	SHA256
Thumbprint:	13cb3ea866bdc967819e78c74ff4173f847fc016f6360542a5f5a399e093f4ea
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

370

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312497/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.11075.21559.23980.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38523/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/632d43be36ba812561b08fa1/reports/0d558488-0692-44d8-bc32-f8f92b57e1dd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2d3dfe23-4693-4249-b942-105626d47530

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

evad.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1075671

Signature

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51ddc94e9230a48fc787f52b05342f7b1fec562bb7bd8d4155e99156e6564fde/

Threat name:

Win32.Trojan.Krynis

Status:

Malicious

First seen:

2022-09-23 04:28:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kho4stusgcsi7r4h6uvqknbppmp6yvrlw66y2qkv5givnzswj7pa._file

Verdict:

malicious

Label(s):

cloudeye

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/220923-f5e2xahbfk/

Behaviour

Enumerates physical storage devices

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a9a9e42e-a615-4e12-b38b-b870ca35b169

Unpacked files

SH256 hash:

703e17d30a91775f8ddc2648b537fc846fad6415589a503a4529c36f60a17439

MD5 hash:

637e1fa13012a78922b6e98efc0b12e2

SHA1 hash:

8012d44e42cd6d813ea63d5ccbf190fe72e3c778

Link:

https://www.unpac.me/results/9a4beb06-4049-45f2-8f78-78adb420969e/

SH256 hash:

da49d6bee8888263abfbd410699cb675bd6d9c29e4a305d3117d54e7ae321462

MD5 hash:

909c45dd8bf19cea3792935a768cd16e

SHA1 hash:

456bdc3dcff07a379d672c7ec5ab6a5b7fbc481e

Link:

https://www.unpac.me/results/9a4beb06-4049-45f2-8f78-78adb420969e/

SH256 hash:

51ddc94e9230a48fc787f52b05342f7b1fec562bb7bd8d4155e99156e6564fde

MD5 hash:

f867f6ce1f2db6e2766090cb061ac15b

SHA1 hash:

b43f62f987ae478ceea572b4b0168d1120e05d63

Link:

https://www.unpac.me/results/9a4beb06-4049-45f2-8f78-78adb420969e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.07

Link:

https://yomi.yoroi.company/submissions/51ddc94e9230a48fc787f52b05342f7b1fec562bb7bd8d4155e99156e6564fde

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 51ddc94e9230a48fc787f52b05342f7b1fec562bb7bd8d4155e99156e6564fde

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/312497/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample